Google Researcher Finds RCE Flaws in Trend Micro Product

Trend Micro has rolled out updates to patch easy-to-exploit vulnerabilities found by a Google Project Zero researcher in one of the security firm’s products.

On January 5, Google researcher Tavis Ormandy informed Trend Micro that he had identified a critical flaw in Password Manager, a component installed by default with Trend Micro’s Premium Security and Maximum Security home products.

Ormandy found that Password Manager, which is primarily written in JavaScript with Node.js, opens multiple HTTP RPC ports for handling API requests.

The experts said it only took him 30 seconds to identify an API that could be leveraged for remote code execution (RCE). An attacker simply needed to get the victim to visit a malicious website in order to execute commands on the host with the user’s privileges.

The Google researcher also noted that it was possible to bypass Internet Explorer’s Mark of the Web (MOTW) security feature and execute commands without the victim getting any prompts.

The proof-of-concept (PoC) submitted to Trend Micro abused the openUrlInDefaultBrowser API, but the expert raised concerns over the fact that Password Manager exposed nearly 70 APIs to the Internet. Ormandy hasn’t checked all the APIs, but he did notice nearly a dozen that were potentially dangerous.

The researcher also discovered that one of the APIs, exportBrowserPasswords, could have been leveraged by an attacker to force users to export their browser passwords to the password manager, and a different API allowed access to passwords stored in the Trend Micro product.

Ormandy said a malicious actor might have been able to steal user passwords silently and without any interaction from the victim, but Trend Micro argued that it would not have been easy to decrypt the encrypted passwords.

Trend Micro pushed out a patch to address the vulnerabilities on Monday and Ormandy has confirmed that the fix resolves the issues. The researcher has advised the security firm to hire external security consultants to audit the password manager’s code.

Trend Micro representatives told the Google expert that their product team has been reviewing the source code of the exposed APIs to ensure that no remote action is allowed.

Ormandy has analyzed the products of several security companies over the past period. He identified serious vulnerabilities in software from Kaspersky Lab, AVG, FireEye, Avast and others.

“We have strong evidence that an active black market trade in antivirus exploits exists. Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks,” Ormandy said at the time. “For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software.”

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.